PowerShell Scripts for Advanced Event Log Analysis

Harness the power of PowerShell to analyze Active Directory event logs efficiently

Introduction

PowerShell provides powerful capabilities for analyzing Active Directory event logs. This guide offers a collection of useful scripts to enhance your event log analysis process.

1. Retrieve Recent Failed Logon Attempts

This script fetches recent failed logon attempts, which can help identify potential brute force attacks:

$startDate = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4625
    StartTime=$startDate
} | 
Select-Object TimeCreated, 
    @{Name='UserName';Expression={$_.Properties[5].Value}},
    @{Name='SourceIP';Expression={$_.Properties[19].Value}} |
Format-Table -AutoSize

2. Monitor Account Lockouts

This script helps track account lockouts, which could indicate a targeted attack:

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4740
} -MaxEvents 50 | 
Select-Object TimeCreated, 
    @{Name='LockedAccount';Expression={$_.Properties[0].Value}},
    @{Name='CallerComputer';Expression={$_.Properties[1].Value}} |
Format-Table -AutoSize

3. Track Changes to Security Groups

Monitor additions to security-sensitive groups:

$groupEvents = @(4728, 4732, 4756)
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=$groupEvents
} -MaxEvents 100 | 
Select-Object TimeCreated, ID,
    @{Name='GroupName';Expression={$_.Properties[2].Value}},
    @{Name='MemberName';Expression={$_.Properties[0].Value}},
    @{Name='Who';Expression={$_.Properties[6].Value}} |
Format-Table -AutoSize

4. Detect Cleared Event Logs

This script helps identify attempts to cover tracks by clearing event logs:

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=1102
} -MaxEvents 10 | 
Select-Object TimeCreated, 
    @{Name='UserName';Expression={$_.Properties[1].Value}},
    @{Name='LogCleared';Expression={$_.Properties[0].Value}} |
Format-Table -AutoSize

5. Monitor for New Service Installations

Detect potentially malicious service installations:

Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=7045
} -MaxEvents 50 | 
Select-Object TimeCreated, 
    @{Name='ServiceName';Expression={$_.Properties[0].Value}},
    @{Name='ImagePath';Expression={$_.Properties[1].Value}} |
Format-Table -AutoSize

6. Analyze Logon Types

This script provides a breakdown of different logon types, helping to identify unusual patterns:

$logonTypes = @{
    2='Interactive'
    3='Network'
    4='Batch'
    5='Service'
    7='Unlock'
    8='NetworkCleartext'
    9='NewCredentials'
    10='RemoteInteractive'
    11='CachedInteractive'
}

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4624
} -MaxEvents 1000 | 
Group-Object {$logonTypes[$_.Properties[8].Value]} | 
Select-Object Count, Name |
Sort-Object Count -Descending |
Format-Table -AutoSize

7. Track User Account Changes

Monitor modifications to user accounts:

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4738
} -MaxEvents 50 | 
Select-Object TimeCreated, 
    @{Name='UserModified';Expression={$_.Properties[0].Value}},
    @{Name='ModifiedBy';Expression={$_.Properties[4].Value}} |
Format-Table -AutoSize

Best Practices for PowerShell Event Analysis

Advanced Techniques

Parallel Processing for Large Environments

For environments with multiple domain controllers, consider using PowerShell's parallel processing capabilities:

$dcs = Get-ADDomainController -Filter *
$dcs | ForEach-Object -Parallel {
    $dc = $_.HostName
    Get-WinEvent -ComputerName $dc -FilterHashtable @{
        LogName='Security'
        ID=4625
    } -MaxEvents 100 |
    Select-Object @{Name='DC';Expression={$dc}}, TimeCreated, 
        @{Name='UserName';Expression={$_.Properties[5].Value}}
} -ThrottleLimit 10
Note: Always ensure you have the necessary permissions before accessing event logs remotely.
Additionally, be mindful of the performance impact when running scripts against production systems.





Scroll to Top